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DETAILED ACTION 

1 . this is in response to the amendment filed on 25 May 2005 

2. Claims 1-30 are pending in the application. 

3. Claims 1-30 are rejected. 

Response to Arguments 

1 . Applicant's arguments with respect to claims 1-30 have been considered but are 
moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 



2. Claims 1-9, 12-15 and 18-30 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Jardin US (6,681 ,327) in view of Friedman et al. US (6,240,513). 
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As to claim 1 , 23 and 30: Jardin discloses A method for secure communications 
between a client and one of a plurality of servers performed on an intermediary device 
coupled to the client and said plurality of servers, comprising: 

(a) establishing an open communications session between the intermediary 
device and the client via an open network;( items 210, 220, 230 and 240 of FIG 
2; describes the "handshake " between the client and the server which used to 
start any SSL communication between the server and the client) 

(b) negotiating a secure communications session with the client; (Col 6, lines 40- 
47) 

(c) establishing an open communications session with said one of said plurality of 
servers via a secure network;(Col 6, lines 40-47) 

(d) receiving encrypted data from the client via the secure communications 
session; (Col 6, line 67;) 

(e) decrypting encrypted application data; (Col 6, line 67) 

(f) forwarding decrypted application data to the server via the secure network; 
(Col 7, line 4) 

(g) receiving application data from the server via the secure network;(Col 8. line 
23-25) 

(h) encrypting the application data; and (Col 6, lines1-3 and items 250,260 of 
FIG.2 ) 

(i) sending encrypted application data to the client.(Col 8, lines 24-26) 
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(j) detecting a communications anomaly in a communications session between 
the client and the intermediary device; and (Col 8, lines 31-35) 
(k) passing TCP data from through the intermediary device. (Col 4, lines 37-43) 
but Jardin doesn't explicitly disclose the steps (e) and (f) are performed at the 
packet level of a network stack of the intermediate device without processing the 
application data with an application layer of a network stack. However Friedman 
discloses a network security device responsible for establishing a secure session 
between two clients (Abstract) where he teaches the encryption/decryption and 
forwarding of packets are done on the packet level of the network stack of the 
device without reaching the application layer of the stack (Col 5, lines 47-55 & 
Col 6, line 61 through Col 7, line 8). Therefore it would have been obvious to one 
ordinary skilled in the art at the time the invention was made to modify Jardin 
system with the teachings of Friedman to perform the steps of 
encrypting/decrypting and forwarding the packets at the packet level of the 
network stack with processing application data with the application layer stack. 
One would be motivated to do so because such modification would enable the 
system to process the packet at any network-layer device like regular routers 
with nominal modification to the device. Furthermore this would improve the 
performance of the system because the device can encrypt/decrypt the packet 
without waiting for the application data packets to arrive and processed (Col 7, 
lines 11-21). 
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As to claim 2: Jardin discloses the method of claim 1 wherein said step (a) comprises 
the sub steps of: 

• receiving a request for a communications session from the client; (item 210 of 
FIG. 2) 

• responding to the request for a communications session in place of the server; 
and ( item 220 of FIG.2) 

• establishing a secure communications session between the client and the 
intermediary device, (items 220,230 and 240 of FIG. 2 describes the "handshake 
" between the client and the server which used to start any SSL communication 
between the server and the client) 

As to claim 3: Jardin discloses the method of claim 2 wherein said step of (a) 
comprises: 

• receiving a TCP SYN packet from a client and responding to the SYN packet with 
appropriate responses as a proxy for the server. (Col 4, lines 39-41) 

As to claim 4: Jardin discloses the method of claim 1 wherein said step of negotiating a 
secure communications session comprises negotiating an SSL session with the client in 
place of the server. ( Col 6, lines 1-3) 

As per claims 5, 7 and 22: The method of claim 1 further including: 
Receiving the application data as a multi-segment records (Col 6, lines 66-68); 
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Forwarding at least a portion of the decrypted application for each of the records prior to 
receiving complete records(Co/ 7, lines 3-5); but he doesn't disclose discarding at least 
a portion of each of the record after forwarding; and Authenticating the decrypted 
application data of each data record using the remaining non-discarded portion of the 
data record upon receiving a final segment of the multi-segment record. However 
Friedman discloses a However Friedman discloses a network security device 
responsible for establishing a secure session between two clients (Abstract) where he 
teaches discarding a portion of the record after forwarding (Col 12, lines 43-49 & Col 13, 
lines 12-21) and authenticating the decrypted application data using the remaining 
portion of the data (Col 16, lines 14-36 ). Therefore it would have been obvious to one 
ordinary skilled in the art at the time the invention was made to modify Jardin system 
with the teachings of Friedman to discard a portion of the record after forwarding and 
authenticating the decrypted application data. One would be motivated to do so 
because discarding portion of the record and authenticating the remaining portion will 
enable the system to identify and discard records that have been altered or modified 
without processing the complete record. 

As to claim 6 : Jardin discloses the method of claim 1 wherein the step of forwarding 
decrypted application data to said one of said plurality of servers comprises forwarding 
unauthenticated application data. (Col 7, line 4) 
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As to claims 8 and 14 : Jardin teaches the method of claim 1 wherein, prior to said step 
establishing a communications session with one of said plurality of servers, the method 
includes the step of: 

• selecting one of said plurality of servers to forward said decrypted authentication 
data to based on a load-balancing algorithm that calculates current processing 
loads associated with each of the servers . (Col 8, lines 27-67 through Col 9 line 
10; Jardin teaches different algorithms in his embodiments to balance the load 
on the plurality of servers) 

As to claim 9: Jardin disclose the method of claim 8 further including the step of: 
tracking data passing between the client and said one of said plurality of servers. (Col 8, 
lines 31-33) 

As to claim 12: Jardin disclose an apparatus coupled to a public network and a secure 
network, communicating with at least one client via the public network and 
communicating with one of a plurality of servers via the secure network, comprising: 

• a network interface communicating with the public network and the secure 
network;(Col 2, lines 57-65) 

• at least one processor;(Col 6, lines 32-34) 

• programmable dynamic memory addressable by the processor; () 

• a communications channel coupling the processor, memory and network 
communications interface; (Col 2, lines 57-65) 
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• a proxy TCP communications engine; (Col 4, lines 34-36) 

• a proxy SSL communications engine; ( Col 4, lines 24-29)) 

• a server TCP communications engine; (Col 2, lines 54-65)and 

• a packet data encryption and decryption engine. (Col 7, lines 29-32) 

but he doesn't disclose the proxy SSL communication engine and the server TCP 
communications engine decrypt encrypted application data from the client and 
forward the decrypted application data to the one of plurality of servers without 
processing the application data with an application layer of a network stack of the 
apparatus. However Friedman discloses a network security device responsible 
for establishing a secure session between two clients (Abstract) where he 
teaches the encryption/decryption and forwarding of packets are done on the 
packet level of the network stack of the device without reaching the application 
layer of the stack (Co/ 5, lines 47-55 & Col 6, line 61 through Col 7, line 8). 
Therefore it would have been obvious to one ordinary skilled in the art at the time 
the invention was made to modify Jardin system with the teachings of Friedman 
to perform the steps of encrypting/decrypting and forwarding the packets at the 
packet level of the network stack with processing application data with the 
application layer stack. One would be motivated to do so because such 
modification would enable the system to process the packet at any network-layer 
device like regular routers with nominal modification to the device. Furthermore 
this would improve the performance of the system because the device can 
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encrypt/decrypt the packet without waiting for the application data packets to 
arrive and processed (Co/ 7, lines 11-21). 

As to claim 13: Jardin disclose the apparatus of claim 12 further comprising a 
negotiation manager that enables the apparatus as a TCP and SSL proxy for the server. 
(Col 4, lines 24-29) 

As to claim 15: Jardin disclose the apparatus of claim 12 wherein the encryption and 
decryption engine decrypts encrypted packet data to produce application 
data. ( Col 6, Iine66 through Col 7 line 2 ) 

As to claim 18: The apparatus of claim 16 further including a recovery manager using 
said database to recover from communication errors. ( Col 8, lines 27-41) 

As to claim 19: Jardin discloses the apparatus of claim 12 wherein the packet data 

encryption and decryption engine decrypts packets from SSL data which 

spans over multiple TCP segments and forwards packet data to a server 

which is not authenticated. (Col 7, Col 7, line 4 and lines 44-45; the examiner deeming 

the data spanning over multiple TCP segments to be inherent to any TCP/IP system, 

which split the application data packets to multiple TCP/IP packets to be transmitted 

over the network.) 
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As to claim 20: Jardin disclose the apparatus of claim 12 wherein said data is not 
buffered during decryption. (Col 3, lines 4-13 / in one embodiment the first server is 
configured to decrypt contents of the data packet and re-direct the data packet) 

As to claim 21 : The apparatus of claim 12 wherein said data is buffered for a length 
sufficient to complete a block cipher used to encrypt the data.( Col 2, lines 65, through 
Col 3, line 3 / the broker in the second embodiment have dynamically allocated buffer) 

As to claim 24: Jardin system discloses the method of claim 23 wherein the secure 
communication is SSL protocol encrypted application data. (Col 4, lines 54-56) 

As to claim 25: Jardin system discloses the method of claim 23 wherein said step of 
receiving comprises the sub steps of initiating a communications session with the 
enterprise and negotiating a secure communication session with the device. ( items 
210, 220, 230 and 240 of FIG 2; describes the "handshake " between the client and the 
server which used to start any SSL communication between the server and the client) 

As to claim 26: Jardin system discloses the method of claim 23 further including the 
step of negotiating an open communication session with said at least one server of the 
enterprise and wherein said step of forwarding includes forwarding decrypted data via 
the open communication network. (Col 6, lines 40-47 and Col 7, line 4) 
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As to claim 27: Jardin discloses the method of claim 23 wherein said step of receiving 
communications includes receiving a plurality of secure communication sessions from a 
plurality of customers. (Col 4, lines 11-16) 

As to claim 28: Jardin discloses the method of claim 27 further including a step of 
selecting one of a plurality of enterprise servers to which to direct data in said step of 
forwarding said decrypted packet data.( Col 8, lines 27-67 through Col 9 line 10) 

3. Claims 10,11,16,17 and 29 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Jardin US (6,681,327) in view of Friedman et al. US (6,240,513) as 
applied to claim 1 above, and further in view of Abramson et al US (6,539,494). 

As per claims 10, 1 1, 16, 17 and 29: the as modified in claim 1 does not explicitly 
explain establishing a database to track session information to track TCP and SSL 
communication. However Abramson et al teaches the using and tracking of session 
information database tracking TCP SSL and other packet information (column 1 , line 62, 
through column 2, line 18) and use it to recover from communication errors. Therefore, 
it would be obvious to a person of ordinary skill in the art at the time the invention was 
made to modify the system of Jardin with the teaching of Abramson to backup and track 
session information in communication between client and a server. One would be 
motivated to do so in order to enable the system to recover from communication failures 
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transparently (Col 4,lines 55-67) and reconstitute the session data into a new session 
without loss of data. 

Conclusion 

4. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Baskey et al. US (6,732,269) teaches a SSL proxy utilization. 
Jacobson et al. (6,785,719) teaches the using of SSL handler for all SSL 
communication. 

5. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 

§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 



Application/Control Number: 09/900,496 
Art Unit: 2136 



Page 13 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Firas Alomari whose telephone number is (571) 272- 
7963. The examiner can normally be reached on M-F from 8:30 am - 5:00 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, AYAZ SHEIKH can be reached on (571) 272-3795. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

Firas Alomari 
Examiner 
Art Unit 2136 
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